Chinese Hackers Compromises ISP To Poison DNS Responses

Researchers at the cybersecurity firm Volexity on Friday revealed that a Chinese hacking group โ€˜StormBambooโ€™ has successfully compromised an internet service provider (ISP) to abuseย automatic software updates with malware.

This Chinese cyber-espionage threat group, also tracked as Evasive Panda, Daggerfly, and StormCloud, has been active since at least 2012, targeting organizations across mainland China, Hong Kong, Macao, Nigeria, and several Southeast and East Asian countries (via BleepingComputer).

During one incident investigated by Volexity, the threat researchers discovered that StormBamboo targeted software that used insecure update mechanisms, such as HTTP, and did not properly validate the digital signatures of installers to deploy malware payloads on victimsโ€™ machines running macOS and Windows.

“When these applications went to retrieve their updates, instead of installing the intended update, they would install malware, including but not limited to MACMA and POCOSTICK (aka MGBot),” Volexityย explainedย in a report published on Friday.

To do that, the attackers interrupted and modified victims’ DNS requests and redirected them to malicious IP addresses.

This technique delivered malware to the victim’s systems from StormBamboo’s command-and-control (C2) servers, thus requiring no user interaction.

Volexity found StormBamboo targeting multiple software vendors, who use automatic update mechanisms, using differing levels of complexity in their steps for pushing malware.

โ€œFor instance, they took advantage of 5KPlayer requests to update the youtube-dl dependency to push a backdoored installer hosted on their C2 servers,โ€ the BleepingComputer report stated.

โ€œAfter compromising the target’s systems, the threat actors installed a malicious Google Chrome extension (ReloadText), which allowed them to harvest and steal browser cookies and mail data.โ€

The threat researchers notified and worked with the ISP, which then investigated important traffic-routing devices on their network. Once the ISP rebooted, it took specific network components offline, which immediately stopped the DNS poisoning.

โ€œStormBamboo is a highly skilled and aggressive threat actor who compromises third parties (in this case, an ISP) to breach intended targets.

The variety of malware employed in various campaigns by this threat actor indicates significant effort is invested, with actively supported payloads for not only macOS and Windows, but also network appliances,โ€ the researchers concluded.

Subscribe to our newsletter

To be updated with all the latest news

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news

Read More

Suggested Post